CVE-2019-7553: CVE-2019-7553 Stores XSS in PHP Scripts Mall Chartered Accountant : Auditor Website 2.0.1

CVE-2019-7553 Stores XSS in PHP Scripts Mall Chartered Accountant : Auditor Website 2.0.1

DESCRIPTION

PHP Scripts Mall Chartered Accountant : Auditor Website 2.0.1 has
Stored XSS in the Profile Update page via the My Name field.

VENDOR

PHP Scripts Mall Pvt. Ltd.
_[Affected Product Code Base]_PHP Scripts Mall Chartered Accountant : Auditor Website - 2.0.1

POC

Steps to reproduce-

Go to http://74.124.215.220/~projclient/client/auditor

1. Register and login an account.

2. GO to My Profile and update the My name field with the xss payload

<–`<img/src=` onerror=alert(“Pw”)> --!>.

3. The xss will be executed throughout all the pages visited.

Popular posts from this blog

DESCRIPTION An issue was discovered in PHP Scripts Mall Investment MLM Software 2.0.2. Stored XSS was found in the the My Profile Section. This is due to lack of sanitization in the Edit Name section. VENDOR PHP Scripts Mall Pvt. Ltd. [Affected Product Code Base] Investment MLM Software(link- https://www.phps criptsmall.com/product/investm ent-mlm/ ) - 2.0.2 POC 1.GO to http://198.38.86.159/~onlineex amboard/demo/investment-mlm/ 2. Request a test account “Click Here For User Demo Link” 3. Login and go to my profile. 4. Input payload <script>alert(document.domain) </script> and xss gets popped. PROOF

DESCRIPTION An issue was discovered in PHP Scripts Mall API Based Travel Booking 3.4.7. There is Reflected XSS via the flight-results.php d2 parameter. Tested in Firefox Dev Edition VENDOR PHP Scripts Mall Pvt. Ltd. [Affected Product Code Base] API based travel booking - 3.4.7 POC 1.GO to http://74.124.215.220/~config/cleotravel/flight-results.php?a1=adf&a2=adfdf&d1=&d2=%22Style=%22position:fixed;top:0;left:0;font-size:999px;%22OnMouseEnter=%22confirm`K`%22 REFLECTED XSS POPPED